05-09-2021 05:30 AM
Hello everyone!
Recently my organization get AS number from RIR. And I have a task to configure BGP with 2 ISP in the follow way: my organization must be accessible from the Internet only in 1 ISP at a time (used one router to connect to both ISP). Also I have to be able to switch providers if required. For example, today my organization must be accessible from the Internet only in ISP-1, but tommorow it must be accessible from the Internet only in ISP-2.
Can someone explain how can i do this?
I have idea about shutdown neighbour adjacency with certain ISP with a command: neighbour Neigbour-ID shutdown.
Or I can use AS_PATH prepend (dubious option in my opinion).
May be other ideas?
And how long will it take for the organization's network to become available when I switch providers?
05-09-2021 06:10 AM
Hello,
are both ISPs terminated on the same router ? Either way, if the intervals you need to access the Internet through one ISP, and then through another, are always the same, you can automate the failover by using an EEM script that runs at certain time intervals.
What that script looks like depends on the first question: are both ISPs terminated on one router, or on two different routers ?
05-09-2021 07:15 AM - edited 05-09-2021 07:16 AM
Yes, both ISPs terminated on the same router.
Sorry, I put it wrong. Switching between ISPs doesn't depend on time intervals. It depend on situation. For example, DDoS attacks on one of ISPs or some problems in one of ISPs network. In the picture ISP-1 was ISP from my organization was accessible. But DDoS attack occur at some moment on ISP-1 . And I want to switch my "main" ISP to ISP-2 so that other ISPs can reach network of my organization.
05-09-2021 08:09 AM
Also appear another question. Can ISP notify other ISPs via BGP, that my network unreachable (due to neighbour Neigbour-ID shutdown command) when DDoS attack occur?
05-10-2021 01:04 PM
Before we go much further with this discussion we need to clarify a few things:
- what are you using for IP addressing with the ISPs? Do you have your own Provider Independent address block? Or are you using an IP address assigned from one Provider, or 2 address blocks (one from each provider)?
- the direction of traffic is significant. Traffic originated from your network to the Internet can be directed to one provider or the other without great complexity. But traffic originated from the Internet to your network presents challenges. Are there any resources in your network (web servers, mail servers, etc) that need to receive traffic originated from sources in the Internet?
05-10-2021 03:56 PM - edited 05-10-2021 04:04 PM
Hello
If you have a single bgp rtr peering with dual isps I would say the need to use EEM scripting wouldn’t be required if you want to accomplish failover
Using the bgp path attributes such as weight and as-path prepending could be applicable but at this time you need to elaborate a bit more on the your current bgp topology to make a valid suggestion.
Regards ddos attacks on your network via bgp you would expect your isp would be prepared for this and act to negate such attack upon a request by the client (you) to black hole the source or destination of that the attack.
This is performed by a bgp security feature call Remote Trigger BlackHole (RTBH) - Please review
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide